Aveanna Healthcare has decided to pay the Office of the Attorney General of Massachusetts $425,000 as a financial penalty for not implementing proper safety measures to avoid phishing attacks, thus violating state and government legislation.
Aveanna Healthcare operates in 33 states and is the biggest pediatric home care provider in the country. In summer 2019, Aveanna Healthcare encountered a phishing attack by which over 600 phishing emails were mailed to its workers. The phishing emails tried to mislead the recipients into giving credentials, other sensitive data or money. The initial email account breach happened in July 2019. The attacks went on all through the summer. Aveanna Healthcare found out about the breach on August 24, 2019.
According to the forensic investigation, several employees were misled into revealing their account information, allowing the attackers to access sections of the network that held the protected health information (PHI) of 166,000 individuals. The PHI of around 4,000 Massachusetts residents were included. The patient data compromised and possibly stolen included names, driver’s license numbers, Social Security numbers, financial account numbers, and medical data like diagnoses, prescription drugs, and treatment details. The threat actors furthermore signed into the human resources system and tried to alter the direct deposit details of employees to redirect payments.
The Massachusetts Attorney General’s Office investigated the phishing attacks and confirmed that Aveanna Healthcare did not enforce proper safety measures to avoid phishing attacks. The AG’s Office claimed Aveanna knew that it had insufficient cybersecurity plans during the phishing attacks and that it lacked resources to sufficiently protect against phishing attacks, for example, multifactor authentication and employee security awareness training. The Massachusetts AG’s Office established that Aveanna’s security system did not meet the minimum security level required by the HIPAA Security Rule nor the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts.
To settle the violations, the consent judgment directed Aveanna to pay a $425,000 financial penalty to the Massachusetts AG’s office, and implement a corrective action plan that necessitates Aveanna to create, enforce, and retain a security program with multi-factor authentication, phishing protection technology, and other systems made to identify and deal with intrusions. Aveanna should additionally give the workforce extra security awareness training and give frequent updates on the newest security threats. Aveanna needs to go through yearly independent audits of its compliance with the consent order. The Massachusetts AG’s Office will monitor it in four years’ time.
Companies are obligated to have the proper security measures and systems to stop hackers from getting access to sensitive data. Aveanna will now be sure to comply with the data security laws and do what is necessary to secure the data of employees and Massachusetts residents.
Aveanna Healthcare is additionally confronted with a class action lawsuit due to the compromise of patient information. The lawsuit claims Aveanna failed to employ proper security measures and took a long time to report the data breach, which is 5 months after discovering the breach.